The failure of the Information Commissioner's Office to impose a monetary penalty against cosmetics firm Lush - for failing to protect thousands of customer records from hackers - sends out all the wrong messages, according to authentication firm SecurEnvoy.
"What we have here is a major e-commerce web portal - run by a consumer-friendly company that prides itself on its eco-friendly products and stance generally - that was solidly hacked for four months over the busy Christmas period, and essentially has got away scot-free," said Steve Watts, co-founder of SecurEnvoy.
That the privacy watchdog feels it cannot penalise a company whose database has been exposed for 120 days - without its IT staff being aware - shows how crass the UK's data protection legislation is in penalties, said Steve Watts.
"This is the data protection equivalent of the hoodlum that robs a store of its cash and then gets off with community service and warned not to do it again. It does not represent justice in any shape or form," said Watts.
The Information Commissioner's Office (ICO) responded by saying monetary penalties can be imposed only if the contravention meets the legal threshold. This is set out in the statutory guidance about the issuing of monetary penalties.
"The set of criteria we must satisfy in order to issue a monetary penalty - which has been set out and approved by Parliament - clearly states that a company must have failed to take reasonable steps to prevent a contravention," an ICO spokesman said.
"In this case, the ICO could not say that Lush had failed to take reasonable steps. They did not, however, fully meet industry standards relating to card payment security," the spokesman said.
For this reason, the ICO is reminding online retailers that, if they do not adopt this standard (PCI DSS), or provide equivalent protection when processing customers' credit card details, they risk enforcement action from the ICO, said the spokesman.